Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Saturday December 01 2018, @05:39AM   Printer-friendly
from the dnss dept.

Submitted via IRC for Bytram

Mozilla Testing DNS-over-HTTPS in Firefox | SecurityWeek.Com

Mozilla is moving forward with yet another project designed to provide users with increased security: it is now testing DNS-over-HTTPS (DoH) in Firefox stable.

Only a small group of users will enjoy the feature for now, as it is still in the testing phase, but Mozilla is determined to work with industry players for a larger rollout. When that will happen, however, remains to be seen.

Mozilla has been already testing DoH in its browser, looking into the time it takes to get a response from Cloudflare’s DoH resolver. With the test results positive, revealing great performance improvements even for the slowest users, the Internet organization has decided to move forward with its plans. 

“A recent test in our Beta channel confirmed that DoH is fast and isn’t causing problems for our users. However, those tests only measure the DNS operation itself, which isn’t the whole story,” Mozilla’s Selena Deckelmann explains. 


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by bzipitidoo on Saturday December 01 2018, @06:50PM (4 children)

    by bzipitidoo (4388) on Saturday December 01 2018, @06:50PM (#768691) Journal

    Have a look at S-HTTP. It was proposed in the late 90's, it was better than HTTPS, and ... commercial vendors chose the weaker standard.

    Among the advantages is that most if not all of the problems we have with DNS-- the cache poisoning, spoofing, and verification problems-- aren't such problems with S-HTTP. S-HTTP works better with HTTP. No need for a separate port 443.

    HTTPS is such overkill on a side issue. It's like HDCP, the DRM for HDMI cables. There's just no reason to encrypt publicly available content, not when eavesdroppers can simply read the URLs from the packets and go to the public sites themselves to see what's being viewed. Could have just digitally signed the public data so the recipient can check that it has not been altered in transit, no need to encrypt everything. I find this massive move to HTTPS in recent years a bit baffling. If that's such a great idea, why not push to encrypt all emails, IRC, and other forms of personal and private messaging?

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=2, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2, Insightful) by Anonymous Coward on Saturday December 01 2018, @07:48PM (2 children)

    by Anonymous Coward on Saturday December 01 2018, @07:48PM (#768702)

    "There's just no reason to encrypt publicly available content"

    I disagree. First you have no reasonable expectation that one communication is in any way similar to another regardless of the A record, or URL. There are all kinds of server side hacks from geo-IP to integration with user profile databases that allow the transmitted data to be unique on per user basis. If it is unique to you, then it isn't "publicly available".

    From a legal perspective I think it goes a lot further than that. When you use DNS mining and ad-tracking, in order to provide data to sociopathic professionally trained industrial psychologists, (advertisers) it becomes harmful to human welfare. As these systems become more highly targeted the degree of abuse is going to become more acute. For example, pimps using these systems to target households on the poverty line with young women in them, with content and advertising that make the victems of their trade more recruitable. (if that isn't going on already I'd be surprised)

    Personally I consider DNS mining and ad-tracking to be indistinguishable from felony wiretapping. The founders had reasons for the 3rd and the 4th amendments. Regardless of what dogmatic circle jerk the judiciary uses to pretend the carriers and data brokers are not acting as agencies of state, the founders reasons are as relevant today as they were then.

    The intrusion is not as overt as say, wearing a fake police uniform and searching somebodies home. But the degree of intrusion is so extensive, that 20 year ago it would only have been possible if operating under the color of law, pretending to do so fraudulently, or acting feloniously. The invasion is non-consensual, and the loss is realized in the form of reduced mental health. How are we to reconcile the changes between then and now? Are they agents of state, criminals pretending to be agencies of state, or just plain on criminals? Because nobody asked them to do this, and there is a clinically measurable loss being incurred.

    • (Score: 3, Insightful) by bzipitidoo on Saturday December 01 2018, @11:23PM (1 child)

      by bzipitidoo (4388) on Saturday December 01 2018, @11:23PM (#768760) Journal

      An early stage of providing good security is specifying "security against what?" What is the threat? Even earlier than that is figuring out if we're talking about security or privacy, or something else. They aren't the same thing. The very term "security" is ripe for abuse, and it has been abused greatly.

      Almost anything can be cast in terms of fears, and security against those fears. The damnedest crazy notions that might somehow be slightly related to security get taken seriously. As an example, consider the idea of building a "big beautiful wall" on the US-Mexico border, and this latest hokum about a migrant caravan threatening to cross the border. Long walls are fake security. Very, very costly, and worthless unless manned at even more expense. Today, the Great Wall of China is naught but a tourist attraction, and a massive monument to human stupidity. The Maginot Line was another colossal failure. Obviously, walls can't stop planes or boats. But more subtly, what they are is the wrong security against the wrong problem. On the outside, hordes of barbarians pressing up against the wall, and on the inside a declining empire struggling to field enough soldiers to man the wall. But if the empire was healthy, it would have no trouble with a border, wall or no. The French needed to reform and expand their army and military doctrines and practices, not kid themselves that a fortified line could really stop the Germans. Even before that, the French should've taken the legs out from under one of Germany's main grievances, the supposed unfairness of the Versailles Treaty, in particular, the reparations.

      The idea of HTTPS or S-HTTP or any other encryption as a defense against data collection and for our privacy is much the same as walls. It's looking at the problem wrong. You can't hide your gender or race, or your purchases. Instead, we have such things as the EEOC and laws against discrimination. We also had the 1965 Voting Rights Act, until the politicians currently in power managed to get a feeble pretext of us now being "post racist" accepted. Laws against discrimination and abuse, and against the mechanisms used to carry out bigotry are a much better solution than trying to be private about things you can't hide from determined bigots. Even better would be a cure for bigotry, and perhaps even further, insofar as bigotry is caused by external factors such as poverty and desperation, eliminate those factors.

      • (Score: 0) by Anonymous Coward on Sunday December 02 2018, @04:06AM

        by Anonymous Coward on Sunday December 02 2018, @04:06AM (#768810)

        "You can't hide your gender or race, or your purchases."

        Actually, in the 90's, when there was no such thing as a switch fabric that could do line rate stateful inspection that is exactly what we had.

        ""security against what?"

        We don't need to ask that question. The first draft of that particular specification was written in 1789. All the Internet does (or did until the ISP's were all bought out by mobbed up pirates) is digitize the exercise of existing human rights. From a constitutional standpoint, interpersonal communication is not different now than it was after the last constitutional congress. Though from a statutory standpoint it is totally different. The dichotomy between the two, being the measure of extra-jurisdictional reach by the respective legislatures, and the judiciaries that affirm their insanity.

  • (Score: 2) by DarkMorph on Monday December 03 2018, @02:53AM

    by DarkMorph (674) on Monday December 03 2018, @02:53AM (#769040)

    There's just no reason to encrypt publicly available content, not when eavesdroppers can simply read the URLs from the packets and go to the public sites themselves to see what's being viewed. Could have just digitally signed the public data so the recipient can check that it has not been altered in transit

    It's not about concealing publicly accessible data. It's about tampering in transit. Digital signature reflects that you anticipated that key problem, but how do we guarantee the signature is trustworthy? To make a slight analogy, it's like saying we can use a checksum to ensure the payload is the right sequence of bytes. But if I'm tampering with your data stream, I would also tamper with the checksum or digital signature to convince you no MITM has occurred. This was what certificates were supposed to solve.

    why not push to encrypt all emails

    PGP, S/MIME

    IRC

    IRC servers offer connections via TLS. Clients can even use SASL.

    private messaging

    How about Tox?

    no need to encrypt everything

    But we really should.